Cisco CSA 4.2 + RADIUS + HP procurve switches

Similar Questions

• How to restrict Internet access by using the RADIUS server via switch Catalyst 3560

  Dear all,

  I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.

  I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.

  The RADIUS server will be having a login page to type the name of user and password.

  Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.

  Thanks in advance!

  Samrat.

  I only did this in a very long time, but you probably want to do is activate the web authentication.

  http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swwebauth.html

• What VPN Cisco IOS VPN and RADIUS client?

  Hello community,

  My company are trying to set up the remote user VPN for all of our external collaborators to the help of our existing Cisco router and a RADIUS server in Active Directory.

  I did all the AAA config on the router and set up the RADIUS, but I do not know what customer buy Cisco Remote and how to set up.

  Anyone who knows this set upwards or it uses can be me help please we don't lose our money (and my boss time!)?

  Thanks in advance.

  Paul

  Paul,

  AnyConnect lets connect you using IKEv2/IPsec and SSLVPN for IOS network head.

  There are countless examples of configuration.

  Alternatively, some clients of IKEv1/IPsec 3rd party exists and are able to connect, however is those who are not TAC (Cisco) supported. You can check the feature called ezvpn

  M.

• Procurve switches update: should I shut down VMs on cluster that uses this switch?

  I've update the firmware on our Procurve switch soon. It need to restart this switch. Should I close all the virtual machines on the cluster that this switch is used to communicate to our SAN via iSCSI?

  I don't know that I made the question properly, then do not hesitate to ask for more information or clarification.

  You want to disable HA on the cluster to blow course because if you don't switch redundancy to your ESX hosts you will have a failover of working capital.  It would be advisable to stop or pause the VM as ise this switch for iSCSI storage access, however I did some tests on this and if no vm run they freeze literally just in time and as soon as the storage returns they pick up where they left off.  I have to admit that I am impressed by the way the VM manages connectivity lose to their storage.  That said you should technically their power off or suspend them.

  SID Smith-

  VCP, CCA (Server Xen), Hyper-V & SCVMM08 MCTS, CCNA and VTSP

  http://www.dailyhypervisor.com

  • Don't forget to assign points for correct and useful responses.  ;-)

• AAA + RADIUS on Catalyst switches

  The command "Switch (config) - radius... Server. 'doesn´t appear on my catalyst 3500. The catalyst IOS version is c3500xl-c3h2s - mz.120.5.WC5

  How do I set the Ip address of the RADIUS server and port!

  Concerning

  I think I have the same version. As you can see below, the command is there.

  #sh worm

  Cisco Internetwork Operating System software

  (Tm) C3500xl software IOS (C3500xl-C3H2S-M), Version 12.0 (5) WC5, RELEASE SOFTWARE (fc1)

  Copyright (c) 1986-2002 by cisco Systems, Inc.

  Updated Wednesday 28 May 02 11:41 by devgoyal

  Image text-base: 0 x 00003000, database: 0x0034A3C8

  ROM: Bootstrap program is boot loader C3500xl

  availability is 40 weeks, 15 hours, 35 minutes

  System return to the ROM to reload

  System restarted at 23:17:01 PUTS DST Monday, August 19, 2002

  System image file is "flash: c3500xl-c3h2s - mz.120 - 5.WC5.bin.

  processor of Cisco WS-C3524-XL (PowerPC403) (revision 0 x 01) with 8192K / 1024K bytes

  memory.

  Card processor ID FAB0513V068, with revision hardware 0 x 00

  Last warm-reset Reset

  Processor running Enterprise edition software

  Control cluster capable switch

  Switch to capable cluster member

  24 FastEthernet/IEEE 802.3 interfaces

  2 gigabit Ethernet/IEEE 802.3 interfaces

  32K bytes memory simulated by flash not volatile configuration.

  Basic Ethernet MAC address: 00:05: 9B: 93:13:80

  Number of the motherboard: 73-3904-11

  Power supply part number: 0851-34-02

  Motherboard serial number: FAB051240RK

  Power supply serial number: PHI050204Z8

  Revision number of the model: A0

  Model number: WS-C3524-XL-EN

  System serial number: FAB0513V068

  Configuration register is 0xF

  #conf t

  Enter configuration commands, one per line. End with CNTL/Z.

  (config) #rad

  (config) #radius-server?

  attribute to customize certain attributes of RADIUS

  challenge-noecho data the display echoing is disabled during the Access-Challenge

  Configure nas try to download static routes and IP pools at startup

  Deadtime time to stop using a server that is not responding

  realized application allow the user to specify the radius server to use with [email protected]/ * /'

  the host to specify a RADIUS server

  encryption key by key shared with radius servers

  The first application of RADIUS can be made without asking for a password optional-passwords

  Specify the number of attempts the Active Server to retransmit

  wait time wait time for a RADIUS server address

  configuration of the provider attribute specific VSA

  Hope this helps you

  Leo

• Cisco 2960, no mail, solid green system switch of death?

  I have 2 - WS-C2960-24TT-L past. Both are facing the same question.

  When they started, all lights are flashing on the indicator panel mode, then it goes directly to a solid green "SYSTEM." Nothing written on the console cable. I tried computers, cables, and different rates of transfer standard. None of the ports developed regardless of how long each switch is powered. The Mode key during boot produced the same result, nothing.

  Looks like they are dead, however, I thought this would be the place to go for ideas. I can relive these switches?

  Nope.  Time for you to contact Cisco TAC and get the RMA - ed devices.

• Cisco ISE and Meraki RADIUS

  I am very new to Cisco ISE and Meraki.  I try to get the Radius configuration for wireless authentication.  When I do a test of the Meraki to ISE, it passes.

  When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy.  I keep hitting the default policy.  I have my Meraki police above the default policy in the strategy defined in article.  I have attached what looks like my strategy game.

  Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:

  networkdevicegroups.PNG

  

  And here is where I create the condition of strategy game and you should be able to select the Meraki access points:

  devicecondition.PNG

  

  This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.

• [Cisco AnyConnect] Certificate on RADIUS authentication

  Hello

  I use authentication and LDAP authorization certificates and it works fine.

  Now, I want to centralize authentication and authorization on the server RADIUS (Cisco ACS in my case)

  In the connection profile, we have 3 authentication methods:

  • AAA: I can choose RADIUS server group or LDAP--> the user is prompted to enter the username/password credentials
  • Certificate: I can't choose AAA server...--> user group will have to provide the certificate
  • Both: I choose the RADIUS or LDAP--> the user is prompted for username/password credentials and the user must provide the certificate

  If I choose the certificate authentication methods, I can't delegate the authentication and authorization of RADIUS server.

  Is there a solution to delegate the authentication of the certificate to the RADIUS?

  I have different authorization for each VPN connection profile rules

  ASA can send a VPN connection profile to the RADIUS? (in the RADIUS attribute...)

  Thanks for your help,

  Patrick

  Patrick,

  The essential in deployments using WLC is begging on client can talk to EAP (including EAP - TLS) so the AAA server can authenticate the certificate.

  In the case of Anyconnect, or old IPsec client there is no way to send the full cert to server AAA (not implemented/redundant from the point of view of the customer, or not in the standard).

  IOS also gives you a possibility to make calls for authorization of PKI:

  http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-Rev-cert.html

  AFAIR is no similar mechanism on the SAA.

  M.

• [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

  Hello

  I had a lot of Cisco AP related to Cisco WLC 2.

  On each WLC, I configured a primary and a secondary RADIUS server.

  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

  ACS primary and secondary configurations are synchronized.

  There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

  When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

  WLC secondary contacts automatically secondary Cisco ACS and it works fine.

  Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

  The two Cisco ACS are synchronized, so I should have the same error on them...

  Why primary ACS generates this error?

  Thanks for your help,

  Patrick

  Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

  Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Cisco 6248 FI to Brocade 6510 SAN switch shows Link Down

  Hi all

  His new installation of Cisco UCS with Brocade SAN switch 6510.

  I followed the Cisco UCS to Brocade connectivity Guide.

  Even if the switch side so FI link is not coming. No lights are glowing.

  When I checked the switchshow @Brocade 6510, ports are No_Light status display. Where in other ports, it indicates the number of my storage device WWN.

  At the END, when I click on ports CF, its projection on all State - link down.

  Any who are facing this problem. ?

  Am I missing some configuration steps?

  Kind regards

  Praveen

  This should be a trivial or a very complex problem. I'd rather commonplace.

  Brocade is a CF 16 G switch; up to 8 G negotiation seems to work (storage subsystem).

  Maybe you could try to set the speed on the Brocade 8G port fix!

  Or something with the cables is wrong? Send / receive Crusaders?

  Are shortwave of the MMF SFP? cables connection as well?

  Connect cable from port for example. 31-33, 32 to 34 and see if it works?

• Cisco WSA: What is RADIUS CLASS attribute?

  Hello!

  I am trying to use a radius server Cisco ISE as a server external authentication for ASO. I would like to assign roles to groups of users, but I do not understand the meaning of the RADIUS CLASS attribute. What should I write in this area?

  Thank you

  Stephane Walker

  The attribute CLASS is generic, you can put anything in it.   So you get to decide what you use.

  In the box of your RADIUS, for users or the group who it applies to, set it to something like "WSAAdmin" for admins, "WSARO" for read only users...

  Then, when you config the WSA, you set them correctly he...

  But you can really use any string you want, they just need match the appropriate way.

  HTH,

  Ken

• Cisco 2611 router and RADIUS

  Greetings. First of all, let me start by saying that I am a fool, I know I am a fool and I apologize for wasting everyone's time. In fact, I do RTFM, RTFMs a lot, and I've yet to find a resolution.

  Secondly, I am setting up a RADIUS server in my test network. I installed Yopougon RADIUS on a Windows 2000 System. I have the following Setup on my Cisco 2611 router:

  With the help of 2297 off 29688 bytes

  !

  ! 17:20:27 PDT configuration was last modified Tuesday, May 20, 2008

  ! NVRAM config update at 17:20:29 PDT Tuesday, May 20, 2008

  !

  version 12.1

  no single-slot-reload-enable service

  horodateurs service debug datetime localtime show-timezone msec

  Log service timestamps datetime localtime show-timezone msec

  encryption password service

  !

  host Tester name

  !

  logging buffered debugging 10000

  AAA new-model

  RADIUS AAA server group RadiusServers

  ACCT-port of the server 172.26.0.2 auth-port 1812 1813

  !

  Group AAA authentication login default local RadiusServers

  AAA authentication login local localauth

  AAA authentication ppp default if necessary to group local RADIUS

  AAA authorization exec default local radius group

  RADIUS AAA authorization network default local group

  AAA accounting delay start

  start-stop radius group AAA accounting exec by default

  start-stop radius group AAA accounting network default

  AAA process 6

  Select the secret xxx

  !

  test username password xxx

  !

  clock timezone PST - 8

  clock summer-time recurring PDT

  IP subnet zero

  no ip domain-lookup

  !

  no ip bootp Server

  !

  interface Loopback0

  the IP 192.168.0.1 255.255.255.0

  !

  interface Ethernet0/0

  Description for the main network

  address IP X.X.X.X 255.255.255.128

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  full-duplex

  No cdp enable

  !

  interface Ethernet0/1

  Description of network internal

  IP 172.26.0.1 255.255.255.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  load-interval 30

  full-duplex

  No cdp enable

  !

  IP nat pool test X.X.X.X-X.X.X.X netmask 255.255.255.128

  IP nat inside source list 3 pool overload test

  IP nat inside destination list 3 pool test

  IP classless

  IP route 0.0.0.0 0.0.0.0 X.X.X.X

  no ip address of the http server

  !

  radius of the source interface Ethernet0/1 IP

  access-list 3 permit 172.26.0.0 0.0.0.255

  not run cdp

  public RO 15 SNMP-server community

  secret key of acct-port 1812 auth-172.26.0.2 - RADIUS server host port 1813

  RADIUS server retransmit 3

  key secret RADIUS server

  !

  Line con 0

  password xxx

  Synchronous recording

  line to 0

  line vty 0 4

  access-class 10

  1234567890 7 password

  Synchronous recording

  !

  NTP-period clock 17208108

  Server NTP 192.43.244.18

  end

  My RADIUS server is in place and respond to queries, but my router does not seem to be transferring applications to authenticate to it. In fact, when I connect to the router using HyperTerminal, it expires, and I find myself authenticate locally.

  I don't really like if my Cisco equipment authenticates with the RADIUS server, but I have to get set up to authenticate my users so that I can follow their time online. What I missed in my router configuration? Therefore no transfer requests to the RADIUS Server user authentication.

  Thanks for any assistance, you may be able to provide.

  If you explore the authentication Proxy and it works, it could make you forget the PPPoE fast enough.

  If you decide to pursue PPPoE, the following link is probably where you will find most of the information on the configuration of Cisco PPPoE:

  http://www.Cisco.com/en/us/Tech/tk175/tk819/tsd_technology_support_protocol_home.html

  "Providers" of Cisco forums could provide some guidance if PPPoE is achievable with your platform and environment?

• Cisco Standalone AP with the dump unmanaged switch

  Dear friends,

  Can there be a problem if I connect standalone AP with switch, all cause of loop or something?

  Thank you

  If it is a simple network that if we use only one VLAN, there should not be any problems.

  Thank you

  Emilie

  * Please note the post if you find it useful. *

• Cisco Nexus to use authentication Radius AAA using Microsoft 2008 NPS

  I have a Nexus 7010 running

  I was wondering if you can help me with something. I'm having a problem with the approval of the order through our aaa config. We have not an authentication problem of command approval that does not work. From what I've seen and read Nexus NX - OS 6.x has not all orders for the aaa authorization, unless you configure GANYMEDE +. My basic config is below if you can help would be much appreciated.

  > ip source interface mgmt radius 0

  > key RADIUS-server XXXXX

  > host X.X.X.X key radius server authentication XXXXX accountant

  > RADIUS-server host X.X.X.X XXXXX key authentication accountant aaa

  > authentication login default group aaa authentication Radius_Group

  > RADIUS server logon group console local aaa Radius_Group

  > server X.X.X.X

  > server X.X.X.X

  > mgmt0 interface-source

  Also nobody how to configure Microsoft 2008 NPS as Raduis server to work with Nexus? I read a few post that suggests to change the

  Shell: roles = "vdc-admin" in the value field of the attribute in the RADIUS server

  Anyone know if it works?

  Thank you

  I haven't used NPS before but sounds like you are on the right track. As Ed mentioned in his post, GBA, you can set the type of protocols that you will accept during an authentication session. Authentication Nexus sessions is considered as PAP/ASCII, so you should be good to go. I don't have a Nexus switch to test with, but if you can use wireshark to capture the session and see the exact protocol / method used. However, I am sure that PAP is the way to go:

  http://www.Cisco.com/c/en/us/TD/docs/switches/Datacenter/SW/4_1/NX-OS/se...

  I also found the link that you might find useful:

  http://www.802101.com/2013/08/Cisco-Nexus-and-AAA-authentication.html

  Thank you for evaluating useful messages!

• Switches: RADIUS or GANYMEDE?

  Hello

  So far I've managed my switches with GANYMEDE +, but now I have deploy 802. 1 X, requiring RADIUS only.

  For all I know, ACS (I use 4.2) allows you to set a device using only GANYMEDE or RADIUS, but not both.

  Am not mistaken? Or there is a way to define an AAA client to communicate with the ACS even using two protocols?

  Assuming I'm right, I then considered the following options:

  -Configure all switches to use radius for any service (authentication, authorization ec etc.) this makes it easier, but I lose the GANYMEDE services + for switches. What a big loss?

  OR

  -Configure L3 switches to use a second closure, just for the RADIUS services. It would always use the GANYMEDE + but would require a new network for the service RADIUS; In addition, switches L2 does not support both IP addresses and would require anyway a migration to the RADIUS.

  A considerable administrative burden, in other words.

  I'm not ready to deploy a second RAY (ACS, Windows, whatever), right now.

  The key point is this: reading autour I see documentation Cisco recommends always using GANYMEDE + for management, but in this case is not possible. In general, whenever the unit has a role of network entry (switch or access point) RAY seems to be the Protocol of choice. Moving to the RADIUS would have some drawback or a change in the communication protocol? (I know the difference between GANYMEDE + and RADIUS: tcp, udp vs, vs whole package of only the password encryption encryption).

  Thanks anticipately

  C

  Hello Carlo,.

  You can keep using GANYMEDE + for device management and RADIUS to 802. 1 x, with no need for an additional IPN focuses on additional servers or IP on each managed device.

  4.2 ACS allows allows you to set two AAA Clients with the same IP address, one for GANYMEDE + and for RADIUS, however, the host name must be unique.

  Then, on the switch, you can define the same ACS server as a server radius and Ganymede-server host, configure the controls of "aaa" to connect to the console and pointing to the GANYMEDE server authorization + and part dot1x pointing to the RADIUS server.

  What you're looking for is feasible and it is normal to use GANYMEDE + for device management and RADIUS for 802. 1 x.

  I hope that answers your questions.

  Kind regards

  Federico

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.